Re: ICMP dest-unreach in SYN_* states of TCP

[Jamie Lokier]

[EMAIL PROTECTED] wrote:
> > Excellent, so a "tcprst" rule instead of "reject" in the host's packet
> > firewall is ok then?
> 
> No principial objections. Why not?
> 
> Only I do not understand very well, why to do it. Port unreachable
> or admin. prohibited have the same effect in practice.

No they do have quite a different effect.

I don't want to simply prohibit a connection: I want the other end's
attempt to abort immediately.

This occurs with port 113 (auth/ident) -- I want to prohibit connections
to that port using firewall rules.  Using a "reject" rule, the remote end
will retry for 20 seconds or so before returning to the application
level -- that means an SMTP server takes that long to accept any emails
I send it, as do some FTP servers.  Using "tcprst" avoids this delay.

It's just one particular example but I hope you see my point.

-- Jamie
-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to [EMAIL PROTECTED]